Malicious RTF — malware analysis report

Static analysis result for SHA-256 79d3e556e61ce6a2…

MALICIOUS

RTF

2.6 KB First seen: 2021-06-20
MD5: d0efe447b9a20b8fbf727b08245c1247 SHA-1: b5aaea88224a6bdb3fb2230b41be2a4130dafd0d SHA-256: 79d3e556e61ce6a2688f9461029c193d98fd19b60ff8f50f64e06848ff9cef26
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The RTF document contains embedded code that leverages ADODB.Recordset to download a file from 'http://hometown.aol.com/mcbain/calc.exe' and save it as 'C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RealAudio.exe'. It also saves a Microsoft Office.hta file to the startup folder, likely for persistence. The ClamAV heuristic 'Win.Exploit.ADODB-1' further supports the exploitation of ADODB for malicious purposes.

Heuristics 2

  • ClamAV: Win.Exploit.ADODB-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.ADODB-1
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.michaelevanchik.com/security/microsoft/ie/xss/index.htmlHere In RTF body
    • http://www.2test.comIn RTF body
    • https://ticsa.trusecure.comIn RTF body
    • http://www.michaelevanchik.com/security/microsoft/ie/xss/index.htmlIn RTF body
    • http://hometown.aol.com/mcbain/calc.exeIn RTF body

Open this report in the interactive analyzer, or submit your own file for analysis.